NSX Federation Global Manager synchronization fails with TLS handshake error on port 1236 after cluster reboot
search cancel

NSX Federation Global Manager synchronization fails with TLS handshake error on port 1236 after cluster reboot

book

Article ID: 441621

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

- Global Manager (GM) synchronization status shows as **Disconnected** or **Not Started**.
- Asynchronous Replicator (AR) or Appliance Proxy Hub (APH) logs show unreachable remote sites.

- APH Error Log Example 

2026-05-11T14:17:24.031Z xxxxxxxxxxxxxxxxx  NSX 2010 - [nsx@6876 comp="nsx-manager" subcomp="appl-proxy" s2comp="nsx-net" tid="2043" level="ERROR" errorCode="NET1111"] Certificate validation failed: 18-self-signed certificate
Issuer: C=US; ST=California; L=Palo Alto; O=VMware, Inc.; emailAddress=#######@######.com; CN=VMware-NSX-ApplProxyHub-CCP;

2026-05-11T14:17:24.031Z xxxxxxxxxxxxxxxxx NSX 2010 - [nsx@6876 comp="nsx-manager" subcomp="appl-proxy" s2comp="nsx-net" tid="2043" level="ERROR" errorCode="NET4"] NetTransport[1] Accept on endpoint 'ssl://x.y.z.w:1236 failed with error 167772294-certificate verify failed (SSL routines) from remote endpoint 'ssl-tcp://x.y.z.w:1236'

Environment

VMware NSX

Cause

This issue is caused by a race condition during the NSX Manager boot cycle. The `appl-proxy` service initializes and binds to port 1236 before the local Corfu database has fully converged or established quorum. Consequently, the proxy caches an incomplete trust map (cryptographic thumbprints) in memory and fails to hot-reload these definitions once the database is stable, leading to rejected handshakes from peer managers.

Resolution

To resolve the deadlock, perform a targeted restart of the management services while the nodes are online and the database is stable:

  1. Log in to the CLI of the affected Standby Manager nodes as `root`.
  2. Restart the cluster manager and async replicator services:
      
      /etc/init.d/cluster-manager restart
     /etc/init.d/async-replicator-service restart
     
  3. Verify the synchronization status via the NSX UI or the following API call on the Global Manager:
       `GET https://<nsx-mgr-ip>/api/v1/global-manager/status`

If issue persists, please collect the NSX Managers support bundles of GMs and LMs. Open a Support Request with Broadcom.
For more information, refer to Creating and managing Broadcom support cases.

Powered by Wolken Software